Skip to main content

Advanced Usage

Use dynamic client management with etcd

To dynamically create or remove OpenID Connect clients, configure the service to get its configuration from an etcd cluster by adding the connection parameters for the cluster in the config.yaml file.

etcd:
    endpoints: ['localhost:2379']
    user: etcd-user
    password: my-password
    tlsDomainName: my.etcd.cluster.example.com
    tlsCaCert: |
        -----BEGIN CERTIFICATE-----
        <ca certificate data>
        -----END CERTIFICATE-----
    tlsClientCert: |
        -----BEGIN CERTIFICATE-----
        <client certificate data>
        -----END CERTIFICATE-----
    tlsClientKey: |
        -----BEGIN RSA PRIVATE KEY-----
        <client key data>
        -----END RSA PRIVATE KEY-----

All fields except endpoints are optional. When everything is set up you can start adding client configurations into the etcd cluster.

CLIENT_SPEC=$(cat <<EOF
{
  "requirements": [{
    "cTypeHash":"0x3291bb126e33b4862d421bfaa1d2f272e6cdfc4f96658988fbcffea8914bd9ac",
    "trustedAttesters": [
    "did:kilt:4pehddkhEanexVTTzWAtrrfo2R7xPnePpuiJLC7shQU894aY",
    "did:kilt:4pnfkRn5UurBJTW92d9TaVLR2CqJdY4z5HPjrEbpGyBykare"
    ],
    "requiredProperties": ["Email"]
  }],
  "redirectUrls": ["http://localhost:1606/callback.html"]
}
EOF
)
CLIENT_SPEC=$(echo $CLIENT_SPEC | jq -c)
etcdctl put /opendid/clients/new-client "${CLIENT_SPEC}"

If you want to try this out, first generate a configuration file using the setup image as described in the OpenDID service step. Then add the etcd configuration and start the service using the example script in ./scripts/start-demo-etcd.sh.

Add advanced claim checks using RHAI scripts

To add custom checks executed on the claims of the Verifiable Credential, use Rhai scripts. To try it, add a checksDirectory entry to the client configuration in the config.yaml file.

Example:

---
clients:
    example-client:
        requirements:
            - cTypeHash: '0x3291bb126e33b4862d421bfaa1d2f272e6cdfc4f96658988fbcffea8914bd9ac'
              trustedAttesters:
                  [
                      'did:kilt:4pehddkhEanexVTTzWAtrrfo2R7xPnePpuiJLC7shQU894aY',
                      'did:kilt:4pnfkRn5UurBJTW92d9TaVLR2CqJdY4z5HPjrEbpGyBykare',
                  ]
              requiredProperties: ['Email']
        redirectUrls:
            - http://localhost:1606/callback.html
        checksDirectory: /app/checks

Create a checks directory in the same directory as the config.yaml file and add a example-check.rhai file with the following content:

// This is an example of a simple login policy that allows only users with an email address ending with `kilt.io` to login.

let SUFFIX = "kilt.io";

// ID_TOKEN contains the id_token to send to the user from the OpenID connect (OIDC) provider
let token = parse_id_token(ID_TOKEN);

// Inspect the token and the `pro` sub-object that contains the users claims
if token.pro.Email.ends_with(SUFFIX) {
  // The user is allowed to login
  return true;
}

// The user is not allowed to login
return false;

Start the service bind-mounting the script:

docker run -d --rm \
    -v $(pwd)/config.yaml:/app/config.yaml \
    -v $(pwd)/checks:/app/checks \
    -e RUNTIME=spiritnet \
    -p 3001:3001 \
    docker.io/kiltprotocol/opendid:latest

When you now log in with a user that has an email address ending with kilt.io as attested by the configured attester, the service allows you to log in. If you use a different email address, the service denies you access.